Mining the threat landscape

On paper, the cloud is a wonderful thing for small businesses. It gives even the smallest of firms access to enterprise-level software, reduces capital expenditure, and is increasingly seen as being a good move for security, too.

This is a turnaround in recent months, says Ben Gower, MD at Perspicuity, a UK SaaS (software-as-a-service) reseller, noting that this time last year, clients were more likely to be worried that a cloud deployment would leave them out of control of their own data and hugely vulnerable to attack.

“We asked a group of 35 clients and potential clients in the sub-50 seat range for three reasons to move to the cloud and three reasons not to. Increased security came out as one of the top reasons to move,” he told us. “The perception now is that the cloud is more secure.”

Gower is talking to people about fully managed cloud deployments with email, apps and everything running offsite and being piped in. For him, security is already part of the package. But only a sub-section of the SME (small and medium enterprises) sector uses cloud like this.

The rest of the cloudscape is a mixed bag of hybrid deployments, use of consumer cloud offerings, and in some cases, outsourced IT contracts where companies might not even know they are using cloud at all.

So, the only real answer to the question of whether or not a cloud service will improve your security is “How long is a piece of string?” And this is the answer to a lot of questions about the SME sector.

Making small talk

In the UK small to medium sized firms – usually defined as being up to 250 seats – account for almost half of private sector turnover, and employ almost 60 per cent of the private sector workforce. If you discount the financial services sector, too, the percentage rises even higher. Figures from analyst house Canalys show that this subset of businesses accounts for 99.8 per cent of enterprises in the EU.

Once you realise how large the sector is, you see immediately why it is hard to talk about it in general terms. The needs of a 250-seat organisation cannot be the same as those of a firm with five or even 25 employees; a construction firm looks nothing like a small medical practice, even if they both have 15 people on staff; and even a single growing business will find that both its budget and its requirements will change significantly if it expands from, say, five to 50 people.

Not all of these businesses could move themselves into the cloud, wholesale, even if they wanted to. Some organisations have very specific requirements in security. Anyone working with sensitive personal or financial data will simply not be able to move it all into the cloud.

“For example, a group of doctors have very specific requirements around patient records. It is unlikely that any cloud provider would be able to give them the kind of security they’d need for that,” says David Small, head of McAfee's UK channel programme. “There will be a need for some serious internal security.”

As the managing director of Caretower, a London-based IT security reseller, Phydos Neophytou (left) has a particularly keen appreciation for the need for balance when considering security in the cloud.

“It should be a good thing for small businesses. It should make things cheaper, more secure and more efficient. Small companies don’t always have the resources to run good security in house – tending to see it as overhead, so for them the cloud offers a good alternative. But unless all your data is in the cloud, and all your devices are only accessing cloud based apps – and even if you do - you still need to keep things secure on premise.”

In his position as a reseller of Microsoft Office365 as well as many security vendors, such as McAfee and Checkpoint, he sees both sides of the argument, sometimes with the same customer.

“We’ve had pushback from some Office 365 customers,” he acknowledges. “They say, we have Office365. Doesn’t that have enough security? The answer is that it isn’t always that simple. Most of our clients are only moving partially into the cloud – often for remote workers. And it bears repeating: unless all your data is in the cloud, all your devices are accessing the cloud; you still need to think about traditional security.”

Money here, somewhere

Piecemeal fashion

Dale Vile, founder of the IT analyst firm Freeform Dynamics, observes that SMBs are simply adopting cloud in a more piecemeal fashion than their enterprise brethren, and that this necessarily means security will be more of a mixed bag.

The smallest firms, those without internal IT staff, are simply opting for SaaS versions of CRM applications, hosted Exchange and so on. Some are using DropBox and its ilk as replacement S-drives; using Google Mail and Calendar to keep in touch, and might even use cloud services unawares through outsourced IT contracts.

“One level up, for SMEs with an IT team, or bod, it’s SaaS plus hosted servers, with the latter usually being fixed spec (virtual or dedicated) rather than anything elastic or Amazon-like. These guys then drop their own stuff onto those servers. Meanwhile for high tech start-ups, it tends to be SaaS for your basic core applications, then infrastructure as a service, or increasingly platform as a service, for the more customer-facing bespoke stuff,” he told us.

In all that variety, there are some constants. Security providers like to talk about a threat landscape, with three major danger zones: revenue, reputation and regulation. Work out how each of these applies to a particular client, and the solution will present itself.

“When providers started talking about cloud, people were fearful. But we must be careful now that we have countered that initial fear not to go too far and become blasé about risk,” Neophytou says. “It is an education process. Cloud is very cost effective and efficient for many companies, but there is still a need for conventional security. It is better to take a multi-layered approach.” ®

Poll time

BYOD and cloud are the buzzwords of the year. But how are SMES and their resellers dealing with the proliferation of devices.

Please take a few minutes to fill in a couple of questions you'll be helping us and the vendors get a better idea of what's happening in the real world. And who knows, you might even get what you wish for.